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General Information 

Questions or comments ©e|pifiing to this policy guide can be directed to: 
Federal Bureau of Investigation Headquarters, Records Management Division 
Division point of contact: Unit Chief. Records Management Application Unit 


Supersession Information 

This document supersedes the FBI Electronic Recordkeeping Certification Manual, dated April 
30. 2004; 66F-HQ-A1358157-POLI serial 157; 319Q-HQ-A1487617 
serial 17. and Policy Directive 0249D. Metadata Tagging of Electronically Stored Information in 

FBI Systems. 



is document and its contents arc the property of the FBI. If the document or its contents arc 
vided to an outside agency, it and its contents are not to be distributed outside of that agency 


without the written 



ia$ion of the unit or individual(s) listed in the contact section of this 
policy guide. 
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1. Introduction 


The Federal Bureau of Investigation (FBI) is required by statute to “make and preserve records 
containing adequate and proper documentation of the organization, functions, policies, decisions, 
proc||I^ji|, and essential transactions of the agency.” 1 This practice of maintaining “adequate 
and documentation”" is essential to efficient and economical agency operations because it 

ensures that information is documented in official files, including electronic recordkeeping (ERK) 
systems, where it will be accessible to all authorized staff. 


As the FBI continues to advance from paper-bas 
information management systems, the emphasis 
designing systems that integrate processes and p 
record content and associated metadata. These s 

procedures governing the management 




^'electronic records and electronic 
m managing physical documents to 
the creation and management of 
ing records must comply with the 
records. 


^iheres to the electronic recordkeeping certification (ERKC) process to ensure that 
' ^information systems comply with federal records requirements. The Records 
^/MM^^nt Application Unit iRMAUi of the Records Management Division (RMD) leads the 
centncauon process in collaboration with system owners. Development of new information or 
knowledge management (KM) systems may continue without certification; however, it is 
incumbent on the project manager (PM) and system owner for any information or KM system in 
development to ensure coordination with RMAU and obtain certification. 


Implementation of the ERKC process ensures that the systems the FBI develops and maintains 
comply with statutory and agency ERK requirements. The ERKC process incorporates ERK 
requirements into the system development life cycle (SDLC) so that all system development 
activities can appropriately consider ERK criteria from the earliest stages of acquisition and 
design. 

The ERKQ^e^.^y^uates system compliance with records management (RM) criteria. The 
process is ^i^^'^'^uide system owners and developers in assessing and incorporating RM 
criteria int^js^^u^airemenls specifications and to ensure fulfillment through the review of 
detenjmentotfjt'fiisi&fe:aide The ERKC process consists of identifying systems that contain records; 
helping system owners, PMs. and developers understand ERK criteria; ensuring that system 
requirements specifications satisfy ERK criteria; and validating ERK functionality through the 
review of system test results. The ERKC process is designed to leverage ths^vS^lJuts from 
existing information technology (IT) systems management processes to redundant data 

capture and reduce the burden on systems development and management activities. 


1.1. Purpose 


The goal of the ERKC process is to ensure that electronic information systems comply with 
statutory and agency ERK criteria, including requirements for the proper creation, maintenance 
use, and disposition of FBI records. These requirements should be incorporated into the design 
and deployment of new electronic information and KM systems (hereafter collectively referred 


' The Federal Records Act, 44 U.S.C. Section (§) 3101 (1950) 

'• This phrase was originally used in the Federal Records Act of 1950. which established records management as a 
basic responsibility of all federal agencies. 
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to as '‘electronic information systems”) and ensure that all existing FBI systems are also in 
compliance. 


The Electronic Recordkeeping Certification Policy Guide accomplishes the following objectives: 
« It defines the authorities, rol^^^^^sfeljities, processes, and documentation 


requirements that govern thes 

It serves as a guide for syster 
members to the activities req« 
ERKC. 


..of FBI-owned and FBI-sponsored IT systems. 

T. system owners, PMs. and certification team 
lc$$B$-owned and FBI-sponsored systems to obtain 


1.2. Intended Audience 


This PG is intended for IT system owners, PMs, and developers, as well as the RMAU 
certification team. 
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2. Roles and Responsibilities 

This section summarizes the primary roles and responsibilities of the two principal participants 
in the ERKC process. Subsection 2.1. describes the responsibilities of the system owner. 
Subsection 2.2. describes the responsibilities of RMAU. 

2.1, System Owners 

The system owner’s role is to ensure that the FBI electronic information systems for which he or 
she is responsible meet the FBI ERK criteria. In operating the systems and participating in 
ERKC activities, system owners must: 

• Notify RMAU of all planned new electronic information systems and existing legacy 
electronic information systems by completing the Electronic Systems Quest i onnai re 
(ESQ) during early system planning and development. 

• Meet with RMAU. when requested, to help determine whether electronic information 
systems contain records. 

• Develop and incorporate the appropriate ERK criteria into the electronic information 
system requirements specifications and integration/acceptance test plans (in consultation 
with RMAU. if so desired). 

» Provide standard electronic information system documentation (e.g., system security 
plans, user guides, system administration manpals,..system design documents), as 
requested by RMAU, to support the ERKCiprOcoss-- 

• Comply with the terms and conditions of if® appropriate certification (i.c., approval to 
operate | ATOj. interim approval to operate JJATO^&nd no approval to operate |NATO|) 
for each electronic information system. 

• Notify RMAU of any planned changes to any electronic information system operating 
under an ERK ATO that affect data management of the system, which in turn might 
adversely affect the ERKC. 

• Determine the feasibility of successfully executing risk mitigation plans (RMPs), and 
notify RMAU. Feasibility is determined using factors that include, but are not limited to, 
time to execute, cost, and technical constraints. 

• Cooperate with RMAU for system review and recertification activities by coordinating a 
Privacy Impact Assessment (PIA) from the Office of the General Counsel (OGC) and a 
Security Assessment and Authorization (SAA) from the Security Division (SccD) for 
each electronic information system granted an ERK ATO. 

• Notify RMAU of the changes being made to address risks identified during the ERKC 
process that result in an ERK IATO or NATO determination. 

2.2. Records Management Application Unit 

The principal role of RMAU is to determine whether FBI systems contain records. If a system is 
determined to contain records, RMAU certifies whether the system meets FBI criteria for an 
ERK system. In performing ERKC activities. RMAU must: 
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Determine, in consultation with system owners, whether an electronic information system 
contains records (for legacy electronic information systems) or will contain records once 
implemented (for new electronic information systems). 

Determine, for data created and maintained on the electronic information system, records 
disposition guidelines that will meet the operational needs of the program office, the 
statutory S jjg feifor the FBI. and the historical documentation needs of the National 
Archives i«S|j|jbeords Administration (NARA). 

Provide advice and guidance to system owners when they are selecting their preferred 
approaches to meeting ERK criteria. 

Provide assistance on the development of the ERKC portions of test plans. 


Review and evaluate electronic information system documentation, from an ERKC 
perspective, and report the results of the ERKC evaluation. 

Determine whether the validation of ERK functions by demonstration is required, and 
notify system owners of the requirement. 


Perform risk analyses, as needed, for electronic information systems to determine 
whether the risks posed by electronic information systems that do not meet all ERK 
criteria are acceptable. 


Prepare RMPs for electronic information syste 



o not meet all ERK criteria. 


Determine the appropriate ERK certification (i.e.. ATO. 1ATO. or NATO) for each 
electronic information system. 


Review electronic information systems operating under ATO and 1ATO no less than 
every three years, and determine whether to grant recertification (i.e., a new ATO), issue 
an 1ATO, or issue a NATO for these electronic information systems. 
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f^-operated electronic information systems used to process FBI 
ifeof wheiTrchey operate, must undergo the ERKC process in accordance 


All FBI-o\p 
information ii 


with the procedures described in this PG. 
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4. Procedures and Processes 

This section describes the ERKC process for both new and legacy systems. While ERK criteria 
are the same for both new and legacy systems, the processes for obtaining certification are 
different. Subs e ctio n 4.3. describes the ERKC process for new systems; su bsection 4.2. describes 
the ERKC process for legacy systems. Subsection 4,3. discusses the risk management analysis 
conducted for both new and legacy systems. 

The ERKC process described in this PG is the FBI’s official process for evaluating the technical 
and nontechnical electronic RM features of FBI information systems and for determining 
whether those features satisfy the ERK compliance criteria. RMAU must determine (he potential 
implications of noncompliance with ERK criteria. The “Comi^p^olumn in the ERK 
Compliance Evaluation Worksheet may be used to record the i^J>!i|ations. The certification 
determination may take one of the following forms: 

• ATO: an approval to operate a system because the system meets all recordkeeping 
criteria (ATOs must be recertified every three years). 

» IATO: a temporary approval to operate a system for a defined period of time and under 
certain defined conditions. 

• NATO: a denial of approval to operate a system because it fails to meet recordkeeping 
criteria. 

Systems that contain, or will contain, records in non-textual formats, such as digital photographs, 
digital audio, and geospatial data, are also evaluated during the records assessment and ERKC 
processes. This evaluation is required to ensure readability of the data for the entire records 
retention life cycle. Software obsolescence, proprietary format issues, and other factors can 
hamper readability as electronic information systems are upgraded or replaced. When 
establishing system rcqoiretnMiSv System owners should contact RMAU to determine the 
additional data rctentio>.r;chjfiler>g'eh for these types of formats. Owners of legacy systems 
containing data in these formats.Should work with RMAU to determine any risks associated with 
the formats so that risk can be implemented, thereby avoiding loss of data due to 

technological obsolescence and ensuring readability throughout the required records life cycle. 

4.1. ERKC Process for New Systems 

The ERKC process for new systems requires system owners and RMAU to undertake activities 
in all four phases of the ERKC life cycle: namely, the definition phasg^ ygri fication phase, 
validation phase, and post-certification phase. The sections below these activities and 

provide a simplified checklist approach to outline who performs necp^ipthclions and tasks and 
who must produce certain written products to support the certification process. 

4.1.1. Definition Phase 

The definition phase begins when RMAU becomes aware of a potential new system. This phase 
may be triggered by the flow of certain documentation (e.g.. business plans in the form of 
Exhibit 300s or Exhibit 53s, system security plans, or application architectures) through RMD or 
IT life cycle management working groups and boards. Once aware of the system, RMAU must 
work with the system owner to determine whether the system will contain records. If not. the 
process stops and RMAU must make entries into the RMAU tracking and control system and the 
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Bureau Information Technology Knowledge Repository' (BIKR) to reflect that the system does 
not contain records. The program office an^gjjpjT portfolio manager and/or PM for the system 
must be notified of this determination by R|jfii§§ through an electronic communication (EC), 
which must contain a basic description of system, indicate that the system docs not contain 
records, and include the basis for the determination. The notification EC is maintained by RMD 
in the 319U-HQ-A1487670-RMD file. 

A classification 242 case file must be established for uploading documentation related to the 
management of each Section 6 of this PG for more information). RMAU will 

establish the 242 case f^^5y^|^|ation with either the system owner or program manager. If 
the system will contain^^^^^^AU and the system owner must create a records disposition 
schedule. A records dis^^^^f^^dule provides specific and mandatory instruction for the 
management of record^p|^|^nta)ned, and used by systems during the conduct of FBI 
operations and specifics the overall retention of the records once the operational needs have been 
met. A records disposition schedule may already exist, or one may need to be developed. 

Records disposition schedules, once drafted to meet the business needs of the program office, 
must be coordinated with RMAU and approved by NARA. 

If RMAU determines that the records being maintained by a system will require retention in the 
system for ten years or less, RMAU must cite appropriate records disposition guidance formally 
with a notification EC, and the system will not require ERKC. 


Figure 1 illustrates the steps in the definition phase, including who is responsible for each action 
and what products (if any) must be produced,^each step by each party (i.c., RMAU or system 
owner). 





Activity 

Product 

Activity 

Product 

J]] Review available 
system documentation 
(c.g., Exhibit 300s, 

Exhibit 53s, system 
security plans, 
application 

architectures) to identify 
new systems. 

Entry in RMAU ERKC 
tracking system. 

• v 

>* 

: • • 

V 

[ 2 ] Meet with the system 
owner to determine 
| v;feher system will 
iggpfiin records. 

Description of the 
system for inclusion 
within the RMAU 
tracking system and an 
indication of whether 
system contains records 

Meet witHtRSC^J^y- 
determine 
system will contain 
records. 

9 ' 

'r' k < ■ "S- 

" ' ■ ' * 

Tiff*'. f 

. . . 

If “YES,’' proceed to 

Step 3 and Step 4. 


If “YES,” proceed to 
Step 3. 
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ERKC Definition Phase:^ 



If‘‘NO,” issue a 
notification EC. 


Product 


Notification EC 


iiii 


: 


Records disposition 
guidance or new draft 
records schedule, as 
appropriate 


Update to RMAU ERKC 
tracking system 


|4j Assist system owner 
in establishing ERK 
approach. 

Determine if records 
will be managed under 
art existing records 
schedule, or if a new 
records schedule should 
be developed. 


Figure 1. ERKC Definition Phase - New System 

4.1.2. Verification Phase 

The verification phase follows the definition phase. Its purpose is to ensure the inclusion of ERK 
criteria in system requirements specifications and test plans. This will enable the system to meet 
ERK criteria when it undergoes subsequent integration and acceptance testing. Figure 2 
illustrates the steps and products associated with (his phase. The ERK assessment criteria, 
sample tests, and expected results are provided in Appendix E . 



[3] Manage system 
development materials 
in accordance with 
classification 242 
guidelines, and 
establish use of B1KR 
to track. Establish a 
classification 242 case 
file under the 
guidclines of Section 6 
of this PG. 


Q Meet with RMAU to 
discuss ERK 
requirements and 
determine if records 
disposition 
requirements can be 
addressed within 
existing system 
functions. 


8 

UNCLASSIFIED 


















UNCLASSIFIED 

^Electronic Recordkeeping Certification Policy Guide 


System ERKC Verification Phase: Activities avfd oducts 


Activity 


|s] Assist system owner 
ir. understanding ERK 
criteria (as requested by 
owner). 

. m———————————m 

M Assist system owner 
in incorporating 
necessary ERK criteria 
into system 
requirements 
documentation (as 
requested by system 
owner). 


in incoiporating 
necessary ERK criteria 
into test plan (as 
requested by system 
owner). 


Product 

Activity 

Copy of records 
schedule (or proposed 
records schedule) 

js] Understand ERK 
criteria sufficiently to 
develop system 
ffejjplfcments. 

Comments and 
recommendations on 
system requirements 
documentation 

Develop sy&Ujsuv. 
requirements _ 
docu men tatids£l?il 
incorporating necessary 
ERK criteria. 

Comments and 
recommendations on 
test plan 

^ Develop the system 
integration and/or 
acceptance test plans, 
incorporating necessary 
ERK criteria. 




Product 




1 requirements 
entation 

sing ERK criteria. 




The validation phase begins following the development of the test plan. During this phase, the 
system owner must conduct integration/acceptance testing in accordance with the test plan. 
RMAU must review the results of testing and other system documentation (such as the PIA from 
OGC and the system security documentation from SccD) to validate-compliance. with ERK 
criteria. RMAU must then produce a system certification repo?Umcf-t§stic ; gtA ERfvATO if the 
system meets all ERJiifiteria. If areas of noncompliance arc kiertytle#. aiT.ER^.l/\^0;must be 
issued, and RMA$P$^.t prepare an RMP. Figure 3 illustratcs^J6lsi^gs--anil«prcif3rscl^a t ‘Kociated 
with this phase. ' •' 

RMAU must review ER&'^VTO determinations every three yetjffs;Jft.p3{‘pr4*.maji5rsystem 
changes. A system enteg&ijpgr currently in. the product de velogmeat - {jrocpsR for-following) 

the effective date of this PG are required to achieve an ERK A^0ru^oii:6beriwhg Jaily. 
operational. If the system fails to achieve an ERK ATO and aft j : sis&iTsiSif iKc system 

owners and developers must devise a plan to achieve ERK ATO by the next review, in 
accordance with the three-year review cycle. The plan must be submitted to RMAU within 120 
days of ERK 1ATO notification. 


ERK NATO determinations will preclude the use of the system to conduct FBI business. If a 
SfUN 1 receives an ERK NATO. RMD must notify the Director of the FBI, the Information 
ij ji|inoloKv Customer Relationship and Management Division (iTCRM D ) , OGC, SccD. and the 
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system owner and/or PM. The system must be taken offline, or identified risks must be mitigated 
within 30 days. 


|Sj Support integration/ 
acceptance testing (as 
requested by the system 
owner). 


Hj Conduct the 
integration/ acceptance 
testing and document the 
test results. Provide a 
copy of the results to 
RMAU. 


Test results 


System certification 
report and ATO 


If “YES,” proceed to 
operate the system; go to 
Step 12 (subsection 
4.1.4.. “Post-Certification 
Phase”). 


Certification Phase”). 


If "NO.” proceed to Step 

10 . 


If "NO,” proceed to Step 

10 . 


[io| Determine whether 
existing risks are 
acceptable. 


System certification 
report, RMP, and 
I ATO 


If "NO,” work with 
RMAU to revise the 
mitigation plan and create 
an implementation plan 
that meets both program 
office and RMAU needs. 


|yj Review the test results 
and system documentation 
to determine whether all 
ERK criteria have been 
met. 

if "YES/’certify the 
system by granting ATO. 
Proceed to Step 12 
( s ub section 4.1.4. . "Post- 


flo| If "YES,” operate 
system under the terms of 
the IATO. Provide 
RMAU with an 
implementation plan 
within 90 days. 


recommendations on 
conduct of 

integration/acceptance 

testing 


Written 

acknowledgement of 
the terms of the 
I ATO and 

implementation plan 


Revised mitigation 
plan and 

implementation plan 


If "YES,” issue IATO (not 
to exceed one year). 
Proceed to Step 11. 


If “NO,” work with the 
program office to create a 
mitigation plan that meets 
both program office and 
RMAU requirements. 
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Activity 


Product 


Hi] Examine the 
implementation plan. 


jnj Examine the 
implementation plan and 
determine its feasibility. 


If the plan is feasible (i.e., 
‘'YES”), proceed to the 
next step. 

If the plan is not feasible 
(i.e.. “NO”) work with 
program office to revise 
the implementation plan to 
meet both program office 
and RMAU needs. 


If “NO.” work with 
RMAU to revise the 
implementation plan to 
meet both program office 
and RMAU needs. 


Figure 3. ERKC Validation Phase - New System 


4.1.4. Post-Certification Phase 


The post-certification phase has two primary objectives. The first is to enable RMAU to 
determine whether the terms of any ERK IATO should be extended, or whether the ERK 1ATO 
should be ehanged to an ERK A TO or an ERK NATO. The second is to perform routine, 
periodic (every three years) reviews of the status of systems granted ERK ATOs to ensure that 
these systems continue to meet all ERK criteria. 

As described in this section, RMAU issues an ERK IATO with certain terms and conditions. In 
addition, an ERK IATO may accommodate the development iisy.limplementation of a system put 
in place to meet emergency operational needs (e.g.. during naippgsasters). Similarly, an ERK 
IATO may authorize the operation a restricted operational environment (e.g.. on a 

separate local area network not conr^^jt&lb^FBl Intranet) to serve as a proof of concept 
before implementing its fully ERK-<y.jgi^3^xS$ll ERK ATO) counterpart on a broader scale. 

Regardless of the terms and conditiri^JgSO”e£|& with the ERK IATO, the intent of the post¬ 
certification phase is to examine the operatiorTof the system covered by the IATO and determine 
the next appropriate step to be taken. In the case of a system developed for emergency 
operational needs, the appropriate action may be to disallow continued operations (e.g., the 
emergency is over) and require all of the records created within the system to be transferred to an 
approved records management application (RMA) or another system that can properly manage 
the records for their entire life cycle. 

With respect to systems granted ERK ATOs. RMAU must review the operation of these systems 
every three years to ensure continuing compliance with ERK criteria. This three-year review 
cycle should correspond with the PLA from OGC and use information from the npjUgurrenl 
SAA from SccD. Maintaining the certification is contingent upon continued adh<||||Sito the 
provisions of ERK criteria. i®SlgSS 
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Once granted an ERK ATO. a system may undergo changes (e.g., new functionality) that could 
prevent the system from satisfying the ERK criteria. As upgrades or changes to the system are 
planned, the system owner must provide change requests through the 1TB change request process 
for pre-coordination by RMAU to ensure that these changes do not alter spy recordkeeping 
aspects of the system. In such cases. RMAU may require further mo^fPlions to the system in 
order to accommodate these criteria. IfBll .^ 


Figure 4 illustrates the steps and products associated with the post certification phase. Hgggj 


New Systt 

m ERKC Post Certif 

ical «ase: Activities an 

I Products 

Activity 

Product 

Activity 

Product 

[j~?| Monitor ATO and 
IATO expiration dates. 


[T^fe^tc syste^as&r 
thetet&ti&ind corallfSm 
of the ATO or IATO. 

Change requests 

|b| Notify system owner 

Recertification 

notice 


Requirements 

NnGt'itirations iyvkI^mS.! 

of recertification 
requirements. 


• uA*! ■ ..i! ii 

of compl iancc with 4 1 
conditions of IATO, and 
the implementation plan 

ITi) Review current 
system documentation 
and determine whether 
all ERK criteria have 
been met. 
f 

■ 

System 

certification report 
and ATO 

[Hi] Support RMAU 
review of system 
documentation. 


If “YES," certify the 
system by granting ATO. 
Proceed to Step 12. 


If “YES," conti ngupfr;- i 
operate the systems ' -j 
Proceed to Step f2." ' 


if “NO.” proceed to Step 
15. 


If “NO." proceed to step 

15. 
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New System ERKC Post Certification Phase: Activities and I" n.-f^ts 

Activity 

Product 

Activity 

IIIIIIHp 

jT^I Determine whether 
existing risks are 
acceptable. 

System 

certification report, 
RMP, and IATO 

R Examine issued 
system certification report 
and RMP and determine 
the plan's feasibility. 

Written %8lM 

acknowledgement of the 
terms of the IATO and 
implementation plan 



If the plan is feasible (i.e., 
•■YES”), provide RMAU 
with an implementation 
plan. 

Address risk(s) per 
implementation plan and 
provide RMAU with an 
implementation report. 


If “YES ” issue IATO. 

NATO 

Revised implementation 
plan 



If the plan is not feasible. 


If “NO,” issue NATO 
and notify system owner, 
1TMD. OGC, and 
ll^Cl'or. 


stop. Discontinue use of 
the system. 


.p-Wfexarnirie the 
implementation plan and 
determine if the system 
now meets ATO 
requirements. 

System 

certification report 
and ATO 

till ’ 0 



... . 

Sffll risks have been 
addressed, issue ATO. 


|T(i| Operate the system 
unipsigpp. 


If risks have not been 
addressed, issue NATO 
and notify system owner, 
1TMD. OGC,, trad the 
Director. 


If l|^rl|Wcccivcd. stop. 
Discontinue use of the 
system. 



Figure 4. F.&S^il^st-Certification Phase - New System 


4.2. ERKC Process for Legacy Systems 

The ERKC process for legacy systems requires system owners, PMs, and RMAU to undertake 
activities in only the last two phases of the ERKC life cycle because legacy systems have already- 
been developed and have undergone integration and acceptance testing. The sections below 
describe the associated activities and provide a simplified checklist approach that outlines who 
performs needed functions and tasks and who must produce written products to support the 
certification process. Because integration and acceptance testing will have already occurred for 
legacy systems, it may be necessary to develop and conduct a special demonstration of system 
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Electronic 

functions if RMAU is unable to dcten?4iT?erffo^-a kjvsSw dFijxisiing system documentation 
whether the system complies with fiRK 



for legacy systems is to determine whether the system 
hi presented in Appendix D . RMAU should attempt to 
sous documents associated with the system. If sufficient 
& must request that the system owners conduct a specially 


4.2.1. Validation Phase 

• ! w v 

The purposH 
satisfies the 
ascertain tl 
information 
focused syp| 

RMAU muKi|ik^a| Iw»ess upon learning of a legacy system. Triggers include 

Exhibit 30ul is&S 9 'Stem security plans, and updates to application architecture 

documents™!?^. tfymVfl’ pjj&jthe system owner to determine whether the system contains 
records. If the system cloes not contain records, no further action by the system owner is required. 
RMAU must document that the system docs not contain records in the RMAU tracking system 
and issue an EC to the system owner (as discussed in subsection 4.1.1. of this PG). 

If the system docs contain records. RMAU must determine if a records schedule is already in 
existence or if one needs to be developed, as discussed in subsection 4.1.1. 

If RMAU determines that the records being maintained by a system will only need to be 
managed by the system for ten years or less, RMAU must cite appropriate records disposition 
guidance formally with a notification EC and should not require ERKC. 

Once records retention requirenieitts ssfeidentified for systems containing records that will be 
maintained more than ten years. RM^' ^ust determine whether the system meets all necessary 
ERK criteria by reviewing system documentation and the results of the system's 
integration/acccptance testing. If an appropriate determination cannot be made from these 
documents, RMAU must request additional docufKCt&sfion (c.g., user guides and system 
administration manuals); if RMAU still cannot d^ajs^tc whether the system satisfies the needed 
ERK criteria, RMAU must direct the system owiftpKftionduct a special demonstration of the 
system functions in question. RMAU must then issue either an ATO or an 1ATO, providing 
guidance for the corrective actions needed to achieve ATO. This process will require RMAUio 
prepare an RMP and the system owner to determine if the plan is feasible. Figure 5 il 
steps and products associated with the validation phase for a legacy system. 


"I*,! ■ 


' Existing documentation may include, but is not limited to. test plans, system design documents, requirements 
specifications, user guides, and system administration manuals. 
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Activity 


yj Review available 
system documentation 
(e.g.. Exhibit 300s, 
Exhibit 53s, system 
security plans, application 
architectures) to identify 
legacy systems. 


H Meet with system 
owner to determine 
whether the system 
contains records. 


IrfES,” issue ATO. 
If ‘'NO,” go to Step 5. 


Entry in RMAU ERKC 
tracking system 


If “YES,” proceed to Step 
3 and determine if records 
will be managed under an 
existing records schedule, 
or if a new records 
schedule should be 
developed. 

if‘•NO/’issueanEC 
detailing the decision. 


[| Request requirements 
specifications, test plans, 
and test results from 
system 

integration/acceptance 

testing. 


Review system 
documentation to 
determine whether ERK 
i cmcria are being met. 

I Sf fejif 


Desc ri $■$}$$$} 
for inclusifcjft w»!i< 
RMAU 
system and an 
indication of whether 
the system contains 
records 


Records disposition 
guidance or new draft 
records schedule, as 
appropriate 


[l] Ensure that system is 
recorded in B1KR and 
that system 

documentation is being 
managed as part of a 242 
classification case. If not. 
establish a 242 case 
under the guidelines of 
Section 6. 


| Meet with RMAU to 
determine whether the 
system contains records. 


BIKR registration 
number and 242 case 
file 


Request fcafM'Sfem 
documentation 


System certification 
report and ATO 



If "YES,” proceed to Step 
3. 


If “NO,” stop. 


[I Provide system 
documentation (as 
available). 
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ERKC Validation Phase: Activities a® 





Activity 

Product 

Activity 

jfi] If documentation is 
insufficient to evaluate 
compliance, validate ERK 
criteria through a 
demonstration. The 
demonstration should 
address questions and 
issues developed to 
complete the system 
certification report. 

Questions and issues to 
be addressed by the 
system demonstration 

|HJ Demonstrate relevant 
system functionality in 
support of ERKC 
evaluation. 

jhj Review system 
.certification report and 
"4^hnine whether all 

TJ$*l| criteria have been 
met. 

System certification 
report and ATO 


If‘'YES,” issue an ATO. 


j(] If “YES,” continue to 
operate the system. Go to 
Step 11 . 

If “NO,” proceed to next 
step. 


If "NO,” proceed to next 
step. 

[ 7 ] Determine whether 
existing risks are 
acceptable. 

System certification 
report, RMP, and 

IATO 


If “YES,” issue IATO (not 
to exceed one year). 
Proceed to Step 11 . 


[ 7 ] If "YES,” operate 
system under terms of the 
IATO. Provide RMAU 
with an implementation 
plan within 90 days. 

If “NO.” work with the 
program office to create a 
mitigation plan that meets 
both program office and 
RMAU requirements. 


If “NO,” work with 

RMAU to revise the 
ipjiiiiga^k>^^>ian and create 
j [0^i^s^aitation plan 
! program 

needs. 

.. 



System demonstration 



Written 

acknowledgement of 
the terms of the IATO 
and implementation 
plan 

Revised mitigation 
plan and 

implementation plan 
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8 ] Examine'*^ 
lmplementan^ 
determine if&'$ 


jij Examine the 
implementation plan. 


If the plan is feasible (i.e., 
‘'YES”), issue IATO (not 
to exceed one year). 


If the plan is not feasible 
(i.e., “NO”), work with 
program office to revise 
the implementation plan 
to meet both program 
office and RMAU needs. 


If the plan i,^r)i' 


RMAU to revise thb 
implementation plan to 
meet both program office 
and RMAU needs. 


Figure 5. ERKC Validation Phase - Legacy System 
4.2.2. Post-Certification Phase 

The purpose of the post-certification phase for a legacy system is twofold. First, it enables 
RMAU to determine whether the terms of any IATO should be extended or whether the IATO 
should be changed to an ATO or an NATO. Second, it enables RMAU to perform routine, 
periodic (every three years) reviews of the status of systems granted ATOs to ensure that the 
systems continue to meet all ERK criteria. 

lATOs for legacy systems will have certain terms and conditions associated with them. For 
example, an IATO may authorize the continued operations of a non-ERK-compliant system for a 
specified period of time (e.g., 12 months) because the system wifi be retired or replaced with an 
ERK-compliant system within this period of time, and the costs of retrofitting the noncompliant 
system are deemed excessive relative to the risks associated with continued “as is” operation. 
Similarly, RMAU may issue an IATO for a legacy system because there is a planned upgrade to 
the system that will make it ERK-compliant within a specified period. Lastly, RMAU may issue 
an IATO for a legacy system because it was developed and implemented for emergency purposes, 
and the emergency still exists. The process for post-certification of legacy systems is id|£|t|gg| to 
the post-certification process described for new systems (see subsection 4.1.4. and F ig 

4.3. Risk Management 

An important aspect of risk management is to determine the potential negative impact with 
regard to the management of records associated with any criteria for which less-lhan-complete 
satisfaction was demonstrated by the PM or owner during an evaluation of system 
documentation (i.e., criteria for which the compliance value iss|§|g|{|han 1). This information 
must serve as the foundation for any mitigation plan develope|j§f||||>tain an IATO. 
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4.3.1. ERKC Report, Risks, and Mitigating Factors 

The ERKC evaluator must develop the ERKC report using the completed F.RK Compliance 
Evaluation Worksheet, which is based on the ERK assessment criteria listed in App endi x D . and 
notes from meetings with the system owner. The report should summarize the results of the 
system evaluation and focus on descriptions of risks and unique system characteristics that 
mitigate risks. The report must be organized according to the six criteria classes, as shown in 
Appendix P . to ensure that related risks are discussed together to provide sufficient context to 
support a certification decision by RMAU. The final ERKC report consists of this risk analysis 
supported by the final completed ERK Compliance Evaluation Worksheet. 

Each risk identified as a result of the risk analysis process should have a mitigation strategy . 
Therefore, RMAU must create an RMP when issuing an IATO. A mitigation plan is used to 
lessen or alleviate the adverse effect of the risk: however, interim countermeasures may also be 
effective in reducing the system risk level. 

Examples of possible mitigation strategies include: 


® Using an alternative method of storing records (c.g., printing out and filing records in 
paper form) until the ability to transfer records to the RMA is built into the system. 

• Including the desired feature in the next version of the system upgrade that is funded for 
the following year. 



• De^cmmii 
wit 


Uibat the system is temporary and will outlive its usefulness (or be replaced) 
__^_Swing year. 

The systenj^^gg^^t develop an implementation plan to address identified risks. After RMAU 
has rcview^^^^^ivcd the implementation plan, the program office must provide periodic 
iinpIcmenS^^R^^ documenting when changes arc made addressing the identified risks. 
RMD will review and recertify the system, after changes are implemented, within one year for 
new systems or three years for legacy systems, as indicated in the EC notifying the system owner 
of the IATO. 
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5. Summary of Legal Authorities 

• The Federal Records Act of 1950. as amended (Title 44 United States Code [U.S.C.j 
Chapters 21. 29. 31, and 33) 

® The E-Govemment Act of 2002 (44 U.S.C. Chapter 35) 

• NARA Regulations for Federal Agency Recd^^itle 36 Code of Federal Regulations (CFR) 
Chapter 12. Subchapter B) 

• Office of Management and Budget (OMB) Circular A-130, Section 8a(k) 

• Policy Directive (PD) 0457D. HMD Sfatenunu of Authorities and Responsibilities 
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6. Recordkee ping Requirements 

Classification 242 (Automation Matters) was established to house records related to the design, 
acquisition, development, implementation, certification, and modification of FBI systems. The 
creation, maintenance, and retention of system documentation records are necessary for 
recordkeeping purposes during the full system life cycle. These records provide evidence of the 
following: 

* Procurement 


» Development 

• Technical requirements 

• Implementation 
*> Maintenance 


All legacy and new systems should have a classification 242 main file for the management of 
system documentation. If not. system owners arc required to cither establish a case or request 
RMAU open a case. RM AU has developed a standardized list of system documentation that 
should be captured in the classification 242 case files, including documentation of the following: 


» 


9 




System design: Includes the concept of operations (C'ONOPS), project design, and 
functional requirements documents. 



’ O . f »' ' b i 

System development: Includi^t& ; s^^ll^i^^^!|9. installation, and testing records, 
as well as data dictionaries. ics, and technical documentation. 

Acquisition and contracting: procurement, the contract bid 

process, statements of work.:l8y^»^^^^&/|3quests|f^4«ptcs, contracting 


officer’s representative dcR$$$>jies not 

documented in contract filesivC'vk*-^^**^;*^.*:*.' 1 


otherwise 


System implementation and 
training records. 


^guides, operational support and 


» SSA under the Federal Information Security Management Act (FISMA): Includes system 
certification, accreditation, system security plans, and security records. 


® ERKC: Includes records related to compliance with ERK requirements. 

,.v> 

• Budget and finance: Includes records related to the allotmcnt;)j£|y»ds. 

• Meetings: Includes records of review boards and other informal 1 groups. Records include 
meeting minutes, agendas, briefings, attendees, and correspondence. 


« PIAs: Includes records related to the development and approval of PIAs. 

* Tracking: Includes status and progress reports, system modifications, and upgrades. 
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Appendix C: Key Words, Definitions, and Acronyms 

Kev Words 

* Electronic recordkeeping 
® Electronic recordkeeping certification 
® -Record 

"» Information life cycle management 
Information management 


Definitions 


Approval to operate: a certification to operate a system on a “permanent” basis (in the absence 
of subsequent modifications to the sjglje&'A granted by RMAU. Each ATO is good for a period 
of three years, and recertification completed by RMAU for each system operating under 

an ATO within the three-year windowfwmch begins upon the granting of an ATO for the system 

Category: a records scries or a group of records with similar characteristics assigned to a 
particular records disposition schedule and generally handled as a unit for disposition purposes. 

In many RMAs, a category is a file folder icon in which records arc assigned. 


Disposition instructions: actions taken with regard to federal records after the records are no 
longer required to conduct current agency business. These actions include the following: the 
transfer of records to agency storage facilities or federal records centers (FRCs); the transfer of 
records from one federal agency to another; the transfer of permanent records to NARA; and the 
disposal of temporary rfig^s?, usually by destruction. 

Electronic informatio^|^|5m: an information system that contains and provides access to 
computerized federal records and other information. 

Electronic record: any information recorded in a form which only a computer can process and 
which satisfies the definition of a federal record under the Federal Records Act (see “record” 
definition below). The term includes both record content and associated metadata that the agency 
determines is required to meet agency business needs (36 CFR § 1220.18)|p|p| 

Exact match search: a search that returns data which includes the exact s||j|f|f |tring; also 
known as an “on-the-nose” search. 


File plan: a document that contains the identifying number, title, or description and disposition 
authority of files held or used in an office. 

Global change: an automatic search-and-replace feature. Global changes are performed when 
one change needs to be made to a number of records. By doing a global change, the new data is 
keystroked once. 

Implementation plan: a plan written by the system owner outlining how identified risks will be 
corrected to ensure that RM requirements are met... 

Implementation report: a report notifying RMAU that She changes outlined in the 
implementation plan have been completed. 
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Interim approval to operate: a certification granted by RMAU to operate a system for a 
temporary period of time and in accordance with specified conditions. 

Metadata: preserved contextual information describing the history, tracking, and/or 
managem4S§|$|§n electronic document. Metadata describes information—specifically, its 
context, ccdispfi,' structure, and management over time. .Sec 36 C.F.R. § 3236.2. This data is 
needed to felmthformation resources, such as ERK systems, and support records creators and 
users. 


No approval to operate: the denial of approval to operate a system because it fails to meet 
critical recordkeeping criteria. 

Proximity/adjacency searches: searches that return data which include search strings within a 
certain “distance” of other strings (e.g., when the word “fire” is within 50 characters of 
“explosion”). 

Record: according to 44 U.S.C. § 3301: 


[All recorded information], regardless of form or characteristics, made or received by an 
agency of the United States government under Federal law or in connection with the 
transaction of public business and preserved or appropriate for preservation by that 
agency or its legitimate successor as evidence of the organization, functions, policies, 
decisions, procedures, operations, or other activities of the United States government or 
because of the informational value of data in them. Library and museum material made or 


acquired and preserved solely for reference or exhibition purposes [and] extra copies of 
documents preserved only for convenience of reference... are not include^!! / • 1 1 \ 

Recorded information includes all traditional forms of records, regardless $$ 
characteristics, including information created, manipulated, communicated^ 
electronic form. 



rm or 
digital or 


Records disposition schedule: provides specific and mandatory instructions for the 
management of records created, maintained, and used by systems during the conduct of FBI 
operations and specifics the overall retention of the records once the operational needs have been 
met. 


Records Management Application Unit: the designated unit of RMD responsible for reviewing 
the ERK capabilities of new and legacy systems and determining whether to grant system owners 
permission to operate the systems from a recordkeeping perspective. 

Relevance ranking: a system mechanism that determines the degree to which the retrieved data 
are relevant to the search. 

Risk analysis: the process performed by RMAU to determine the acceptability of the risks posed 
by a system that does not meet all of the required ERK criteria. 

Risk mitigation plan: a plan developed by RMAU that spells out a proposed approach to 
alleviate the risks posed by a system that does not meet all ERK criteria. 

Sealed record: a record that has been redacted and has an identifvit^^^ter burned into the 
document so the redacted information may not be reversc-engineerc^^^cd documents may not 
be unsealed. 
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Stop words: extremely common words that a search engine will not search for in order to save 
space or speed up searches. Examples include “the,” “it,” “and.” “a,” and “or.” 


System: an information system that contains and provides access to computerized FBI records 


and other information. 

00m 

System development life cycle: the design, development, dcploymc&L miration, and 
maintenance of systems. 


System owner: a broad term referring to anyone who manages the acquisition or development of 
an electronic information system or places an electronic information system into operation. 
Within the FBI. the CIO and each assistant director (AD) is responsible for the operational 
management of applications or electronic information systems that directly support his or her 
business area. 


Vital recoHjJ 

e mcrgenc ii>k j th&fadx ti 
persons afftjc^*&^!$<M; 


agency for continuity of operations before, during, and after 
protect the legal and linancial rights of the government and 
jvities. 


Wildcard (maWjtjr's&at can be used in queries in place of unknown characters and 

_ 'jt . . r: __1 „ .-u: __1.1 .I...- 


to search fvA mhwpjfc|i term. For example, searching “terror*” would retrieve data 
that includ^Ji^^ 7l ,^Q^>s;tsi^-l^rorism.” and similar terms. 


Acronyms 




AD 

asaSw^director 

BB 

American Standard Code for Information Interchange 

EPlISlli 

approval operate 

. 

BIIF 

Binary Image Interchange Format 

B1KR 

Bureau Information nowledge Repository 

CFR 

Code of Federal Regu^^^vjf^ 

CONORS 

concept ot operations — ^**&$*& 

COR 

contraeting officer’s representative 

DMA 

document management application 


'<t^^^:.eoiiiroamc£tion j 

EO 

Executive Order 

F.RK 

electronic recordkeeping 
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• HRKC 

electronic recordkeeping certification 


Exchangeable Image File Format 

FBI 

Federal Bureau of Investigation 

FISMA 

Federal Information Security Management Act 

FOIA 

Freedom of Information Act 

FRC 

federal records center 

GIF 

Graphics Interchange Format 

.-~nr . 

IATO 

interim approval to operate 

ID 

identification 

rr 

i n format 

rrcRMD 

Informat^j^g^^i^gy Customer Relationship and Management |&$$g|:)n 

JPEG 

Joint Photographic Experts Group 

KM 

knowledge management 

NARA 

National Archives and Records Administration 

NATO 

no approval to operate 

OGC 

Office of the General Counsel 

OMB 

Office of Management and Budget 

00 

office of origin 

PD 

policy directive 

PDF 

Portable Document Format 


policy guide 

HA.- 

Privacy Impact Assessment 

PM 

project manager 
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Portable Network Graphics 


records management 

RMA 

records management application 

RMAU 

Records Management Application Unit 

RMD 

Records Management Division 

RMP 

risk mitigation plan 

SAA 

Security Assessment 

SDLC' 

Aft™ 

system development 1 

SecD 

Security Division 

sRGB 

_ 

standard red-green-blue 


Tagged Image Interchange Format 


. . . 

URL 

uni form resour^le^itor 

U.S. 

United States 

u.s.c. 

United States Code 
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Appendix D: Electronic Recordkeeping Assessment Criteria 

pfjpjjjP 

This appendix eontains the ERK assessment criteria, which have been established by R@||@i- 
all FBI reeordkee gjng in formation systems. The criteria are the basis on which new antMwiMng 
systems arc evaliisfcoXibr ERKC. Each criterion is followed by one or more sample functions and 
expected results f||p§|n be used to assist system owners in developing test plans and to support 
the review of test results by RMAU. 

Note: The “user” refers to authorized users only. Different functions are permitted for different 
groups of users (e.g., administrative functions for records managers, retrieval functions for end 
users). 


Criterion 1.1: The system designates specified information as records, either manually or 
automatically {once saved, the record cannot be changed). 


Sample Function 

Expected Results 

f^'^^^f^bciiment into the system. 
|^^^^||thc document as a record. 

Record document is not changed once saved. 

Non-record documents in the system are not 
marked/fiagged as records in their metadata (see 
Appendix C for definition), so anv version of a 
record can be recreated if needed. 

CMicrloa',1.2: The system assigns unique identi tiers to records and their associated 

?§ metadata. The system prevents any modification of a record's unique identifier 

once it is defined. 


Sample Functions 

assign a common identification 
records. 

Assign unique IDs to a set of records and 
their associated metadata,,.Qjpck whether 
the IDs adhere to the re$$?j&ltnd their 
associated metadata. 

Attempt to modify or delete assigne^^^i- 


Expected Results 


The system notifies the user that a task is 
prohibited and prevents assignment of a comm on 
IDl^l^m^ct records. temM 

A^^P^§H^ihcrc to the records and tiff'll 
as^^^^p|data. 

the user that a task is 

f'^Shibited and prevents modification and deletion 
ppassigned IDs. 


Criterion 1.3: The system capiut 

automatically anePMH 


juadata (FBI-designated and others) 
h metadata to the records. 


Sample Functions 


Expected Results 


Retrieve each of the designated metadata 
elements for a record. 

Refer to Appendix E for the metadata list. 


Each designated metadata element is retrieved and 
populated with a valid entry. 

System captures all required metadata elements. 


1. Declare Records 
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CBS—n— 


Sample Function 

Expected Results _V_ 

Import a record and its Jp^^icd metadata 
into the system from a 
management system. 

The record and its associated metadata are 
successfully imported into the system. 

Criterion 2.2: The system provides RM control over the records without physically 

transporting them to an RMA. The system links records to an external RM A. 

Sample Function 

Expected Result 

Flag an entity in the system as a record and 
link it to the relevant file classification in 
the RMA. 

The entity is identified in the system as a record 
and linked to the appropriate file classification and 
disposition in the RMA. 

3. Maintain or Use Records 

3.1 Record Organization 

Criterion 3.LI: The system accepts an FBI-specific scheme for organizing records. For 

example, the system accepts FBI-specific records disposition schedules and 
organizes records according to the schedules. 

Sample Functions 

Expected Results 

Input an FBI-spccific records disposition 
the system. 

P^pf^Ptmation declared as records with 
l^^^^cords disposition schedule 

arid manage records in accordance 
with the records disposition schedule. 

FBI-spccific records disposi<^J§|iedulc is 
successfully input into the s^tM*#- 

Information input into the system is managed as 
records with correct records disposition schedule 
characteristics. 
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Sample Functions 

Input a user-designated file plan cat|^||ajfc2 

Assign records to the user-designateij^fegg?’ 
plan category. 


file plan category conflicting with 
plan is rejected. 

file plan category that does not 
^^^ HS^^Bl-spccific file plan is accepted. 

10 ■he user-designated file plan 
r^^O ^ |- jfe iitained within or linked to the 


Criterion 3.1.3: The system supports assignnn 
definition) indicators. 


Hal record (see Appendix C for 


Sample Functions 


Expected Result 


Input information known as a vital record. 

Designate the information as a vital record 
by assigning a “yes” value to the vital 
record metadata element.,. 


Record is shown as a vital record in its metadata 


erion 3.1.4: If a 


cord, system establishes a vital record review and update cycle. 


Sample Function 


Expected Result 


The periodic replacement of obsolete 
copies of vital records with copies of 
current vital records. This may occur daily 
weekly, quarterly, annually, or at other 
designated intervals, as specified by 
regulation or by RMAU. 


Documentation indicating when the vital records 
update cycle occurs. 


Criterion 3.1.5: The system supports the linking of related records (e.g„ a redacted record with 
its non-rcdacted counterpart, an original record with its revision, or an 
electronic record with a paper antecedent 4 ). 


Sample Function 


Expected Result 


Perform operation of linking records with 
other related records. 


Record metadata carry information that designates 
which they are linked. 


The system supports the capal 


- 

For example, official corrd^^ss^si|S^! have been initiated on paper (paper antecedent), and the response was 
an electronic reply (electror^ ; ^^^^|'ij id 1 

*V, . . **t' - 


• tin " ’ll Ilia 
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including categories and subcategories. The system prevents deletion of non- 
empty folders. 

Sample Functions 

Expected Results 

Create a system file plan and a category 
and suheategory within the file plan. 

Edit the file plan, category, and 
subcategory. 

Delete the file plan, category, and 
subcategory. 

Attempt to delete a category containing 
items. 

Categories and subcategories are successfully- 
created. edited, and deleted in the system file plan. 

The system notifies the user that this task is 
prohibited and prevents deletion of the category- 
containing items. 

Criterion 3.1.7: The system can assign a status to records to prevent destruction (i.e., the 

system contains an indicator that includes an option to mark records as “do 
not-desfroy.” which prevents records from being selected for destruction or 
transfer according to records disposition schedules). When the reason for 
altering disposition has expired, it is necessary to unmark data. 

Sample Functions 

Expected Results 

Select the “do-not-desu|^'jpitus for a 
record that is identified ^^>truction 
according to the records disposition 
schedule. 

Attempt to identify the record for 
destruction while the “do-not-destrolp^Jiijv 
status is selected. IwWity 

Identify record folders and/or rccorcre'^MM; 
have been frozen and provide authofmia'^' 
individuals the capability to unfreeze them. 

The “do-not-dcstroy" status is visible and enabled 
for the record. 

Unsuccessful in identifying (he record for 
destruction. 

jS^tcm should unfree/.c records/record folders to 

® calculated phase of their life cycle as if they 

iwfcjrc never frozen. 

& 

iHi, 

Criterion 3.1.8: The system supports global changes (see Appendix C for definition) to 
metadata, file plans, and records disposition schedules. 

Sample Function 

Expected Result 

Change the value of a metadata element 
from its current value to another using 
keyed input. 

All instances of the former value are changed to 
the new value. No instances of the former value 
remain in the selected metadata element. 
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Criterion 3.1.9: The system executes disposition (see Appendix C for definition) instructions 
te.s- moves a group of records from active to inactive status or designates a 
group of records for destruction or transfer). 

Sample Functions 

Fxpevfc^yEesul t s 

Search the system for a set of records that 
arc eligible for disposition. 

Use authorized user ID to approve and 
execute the disposition instructions for the 
set of records. 

Use unauthorized user Attempt to 

approve and execute th£$f§j^sition 
instructions for the set <f||i§|irds. 

Sy^^Ttieviit iles and set of records (hat 

are eligible for disposition. 

The disposition >i«^j[Mlsps^ 1 'are successfully 
executed under user ID. 

The system noti.^t^I^y^that this task is 
prohibited and p^-V^^^p'ibxcciilion of 
disposition instrtslp{i6ftft.Whd»;r the unauthorized 
user ID. 

Criterion 3,1,10: For $$$Mk that manage physical records, the system specifies identifiers for 
boxes, contents, locations, and the like. In other words, the system stoi cs 
metadata for physical records not contained in the electronic information 
system and can identify physical records by physical location (e.g„ box 
number, location ID. and similar). 

Sample Function 

Expected Result 

Enter into the system physical location 
metadata for a physical record. 

Metadata for the physical record is accepted and 
stored in the system. 

Criterion 3.1,11: The record set of system documentation has been properly captured and 
uploaded to Sentinel in the 242 case file designated for this system. 

Sample Function 

Expected Result 

Review the 242 case file to find which 
documents have been serialized for the 
record set of the system documentation. 

Current system documentation has been properly 
captured within the 242 case file for the system. 

3. Maintain or Use Records 

3.2 Records Security 

Criterion 3,2.1: The system prevents the overwriting of records. To corr 
guidelines, records are never edited, but new versions a 
to the source. 


Sample Functions 

Expected Results 

Copy a record from the system to a 
document management application (DMA). 
Mvdify the record and attempt to re-file it 
system. 

Record copy is created and accessible in the 
document management system. 

System prevents the modified record from 
overwriting the original record. System prompts 
the user to file the modified record as a new- 
record. .jiaff 





















pm* 
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Sample Function 

Expected Result 

User attempts to modify and/or delete 
indices and categories for a set of records. 

Prohibited action does not happen. Indices or 
categories in use arc not deleted or modified. 

Criterion 3.2.3: The system (or system ownerl riiniihaiiri appropriate backup copies of records 
and recordkeeping systems. 

Sample Function 

Expected Result 

Confirm that backup procedures fi^ist for 
the system. 

The system follows its backup procedures and has 
evidence of being regularly backed-up. 

Criterion 3.2,4: The system is protected by adequate recovery/rollback and rebuild procedures 
so that records may be recovered or restored following a system malfunction. 

Sample Function 

Expected Result 

Confirm that recovery/rollback and rebuild | 
procedures exist for the system. 

The system has rccovery/rollback and rebuild 
procedures in place, and they have been tested. 


3. Maintain or Use Records 
3.3 Access & Retrieval 


Criterion 3.3,1: The system controls access so that only authorized indi 
retrieve, view. prim. cops, or h p. .-'j&’pv other entit 


I are able to 


retrieve, view, print, copy, or *- »• other entities'(e:'g., metadata, file 

plan, etc.) in the record keep in;; 

Sample Functions 7 ’' 'i'"\ Expected Results 


Designate a test set of user IDs; set access Re£?6flf fS tfbniYo be retrieved, viewed, printed, 
privileges to retrieve, view, print, copy or copied, and edited. 

edit a record. The system notifies the user (hat these tasks are 

Use an authorized user |||ffjTetrieve, view, prohibited and prevents the actions from occurring, 
print, copy, or edit a re<$®reP£ 

Use an unauthorized user ID to attempt to 
retrieve, view, print, copy, or edit a record. 


Criterion 3.3.2: The system identifies individuals and groupsg^jv -. a allows different 

access privileges to be assigned to individuals or groups. The system ensures 
that all access privileges (permissions and restrictions) are enforced on all 
retrievals. 


Sample Functions 


Expected Results 
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Designate two test sets of user IDs; gtW 
members of each set different access _ 
privileges and restrictions. For each SSt-of 
user IDs, attempt actions that are both 
allowable and restricted based on the 
access privileges and restrictions set. 

Designate a test set of user IDs; set 
different repo/dH'TStii^ya 1 access privileges 
for each each user ID. 

attempt bo^;^i^i^|^i«i4 | 3 j.-ohibitcd 
retrievals. ' 

Atitnva&ffaettSns occur for each set of user IDs. 
JRt&h&ifeii actions do not occur for each set of user 

m 

Allowable retrievals occur. 

Profeifcafed retrievals do not occur. 

Criterion 3.3J: The system maintains the integrity of redacted records and ensures that 
redacted material is not accessible on scaled records (see Appendix C for 
definition). 

Sample Functions 

Expected Results 

Retrieve a random sample of sealed records 
and confirm that redacted material is not 
viewable. 

Attempt to recongjtaet;4hc redacted 
material. 'H::* 

All redacted material in the scaled records is not 
viewable. 

The redacted material cannot be reconstructed. 

Criterion 3.3.4: The system provides a sufficiently wide range of search features and options, 
as needed to meet Bureau requirements. These might include searching on 
individual terms or a combination of terms; wildcard or exact-match 
searching, proximity or adjacency searching, relevance ranking of search 
results, use of stop words, limits on maximum si /4 of results set from a 
search. Query bv image content, or others. See Appendix C for definitions of 
these terms. 


D-7 

UNCLASSIFIED 













UNCLASSIFIED 

Electronic Recordkeeping Certification Policy Guide 


Sample Functions 


Expected Results 


Conduct records searches by: 

® Searching on individual terms. 

* Searching on a combination of terms. 

* Wildcard-matching. 

« Exact-matching. 

® Proximity or adjacency searching. 

* Excluding specified stop words. 

* Setting limits on the maximum size of 
v the results set. 

•\'4 Searching image content. 

* Using other functions determined by 
system owner to be necessary for the 
system. 

Conduct a search that ranks the search 
results according to relevance (i.c., with the 
most relevant search results appearing at 
the beginning of the list and items 
gradually decreasing in relevance toward 
the boftoni|^pP list). 


3. MMNTAJyjyaB Use Records 
3.4 Re®$$$Preservation 


Criterion 3.4,1: The system enables migration of the records to a new format before the old 
format becomes obsolete. Any migration must be preplanned and controlled 
to ensure continued reliability of the records. 


Sample Functions 


Expected Results 


Select a set of records and metadata. 
Convert a copy of the records to the^.-,^- 
standard FBI software format for mi^rsltag 
records. 

Export a copy of records and metadata to 
another system and verify receipt of export. 


The converted records and metadata are opened 
successfully in the new' software format. The 
records and metadata content have not changed 
and remain readable and understandable. 

The selected set of records and metadata is 
successfully imported to another system. The 
records and metadata content have not changed 
and remain readable and understandable. 
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search criteria. 


Search results are listed in order of relevance. 
System documentation describes the algorithm(s) 
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3. Maintain or Use rntt 
3.5 Audit/Oversight 


Sample Functions 


Expected Results 


Run sampling process on the upgrade copy 
to verify whether records remain associated 
with their metadata. 

Run reporting function and output function. 


Criterion 3.5.1: The system provides access to summary reports (e.g., number of accesses) 
and detail-level audit trail information (e.g.. each individual record access, 
including record identifier, date, time, and user). The system supports the 
capability to continuously compile and output periodic and on-demand reports 
of summary and deiaikd audit trail information. 


Expected R&jStlls' 


Sample Functions 


Set formats, data elements, parameters, and 
periodicity for audit trail reports. 

Perform, output, and/or provide user access 
to periodic or on-demand audit trail reports. 

Set system for continuous running of audit 
trail report function. 


Periodic audit trail reports are successfully 
compiled and output according to set formats, data 
elements, parameters, and periodicity. 

On-demand audit trail reports arc successfully 
output and/or prepared for access. 

System continuously runs the audit trail report 
function. 


S imon 3.5.2: The system tracks failed attempts of all records ac 
I In other words, the system detects records and out 

attempts to access records or metadata or conduct 
system tracks information such as user ID. date, at 


Sample Functions 


Expected Results 


Using an unauthorized user ID, attempt to 
modify a record. 

Using an unauthorized attempt to 

modify user access permissions. 


Failed attempt at record modification is detected, 
recorded, and output. 

Failed attempt at modification of user access 
permissions is detected, recorded, and output. 


Criterion 3,5.3: 


Sample Functions 


Perform a set of actions resulting in audit 


Audit trail activity is recorded as expected 


trail activity 


Audit trailreport is declared a record and its 
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Declare, etSifetManually or automatically, metadata is linked to the record. 

the audit trail report a record, and enter 

associated metadata. Verify whether each 

audit (rail report is declared a record with 

associated metadata. 


Criterion 41.; The system identifies records eligible for transfer or desMkTiPjfbased on 
records disposition schedules and disposition instructions (i,e.. the system 
automatically detects when a record's disposition period will pass, notifies 
RMAU that, the record is eligible for disposition, and stipulates whether the 
record is el igible for transfer or destruction). 


To Sample Functions 


Expected Results 


RMAU is notified by the system that the set of 
records is eligible for disposition. 

RMAU is informed by the system regarding which 
records are eligible for transfer or destruction. 


The system exports records and metadata to be transferred (i.e., copies and 
subsequently removes them from the system) in a format, acceptable for 
transfer to NARA.' S 


Sample Functions Expected Results 


Verify whether in-system ..documentation 
records can be exported! R A - accepted 

formats. 

Issue export command for a set of records. 


Records are migrated and converted to an outside 
system or media in a NARA-acccptable format 
(only applicable to records that must be 
permanently retained). 


Sample Functions 


Expected Results 


Insert set of records an<||p|SSflata to be 
destroyed. Issue destmt$^$pmmand for 
the records and metadara. 

Attempt to retrieve and reconstruct the 
records and metadata. 


Designated records and metadata arc deleted from 
the system. 

Neither the system nor any external procedures or 
software is successful in retrieving or 

. 4 ?,;' 11 metadata . f 


J Contact NARA for acceptable transfer formats. See 36 CFR § 1228.270. Transfer formats are specified in records 
disposition schedules. 
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The system deletes records to be destroyed so that they cannot be physically 
reconstructed or otherwise retrieved. 
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Sample Functions 

Expected Results 

Insert set of records and metadata to be 
destroyed, issue destruction command for 
the records and metadata. 

Declare the fact of destruction of records 
and metadata to be a record for each 
member of set. 

Re£ej|p|pf destruction are maintained. 

Records of destruction are not capable of being 
destroyed. 

5. Process Records Containing Restricted or National Security Classified Data 

Criterion 5.1: The system captures national security classification metadata for classified 
records. These metadata elements include current classification, reason for 
{authority/the classification gufd Ossification source, derivati ve 

source (if any), declassification ’grade instructions, review date, 

reviewer, declassification date, and .'.'.verifier. 

rsm'; 

Sample Functions 

Expected Results 

Import set of national security classified 
records to the system. 

Using an authorized user ID. enter 
metadata stipulating that the records arc 
classified for purposes of national security, 
and populate additional classification- 
related metadata elements. 

Imported national security classified records are 
accepted successfully in system with associated 
metadata. 

Metadata stipulating classifications^^ plus 
additional related metadata, arc suci^^jlly 
entered in the system. 

Criterion 5.2: For derivatively classified records, the system supports the capability to 

capture multiple reasons (“Reason(s) for Classification”) and multiple sources 

(■'Classified By") metadata ek&MIf. 

. . 

Sample Functions 

Expected Results 

Import er designate a set of derivatively 
classified records. 

Assign multiple reasons and multiple 
sources in the associated metadata for each 
record. 

Set of derivatively classified records is 
successfully designated or imported. 

Associated metadata for derivatively classified 
records successfully aecepts.#|ij?iple values for 
reasons and sources. W, 

- 

Criterion 5,3: The system provides a method for assigning classification levels to records 
(e.g., through a data or metadata field}. The classification levels should 
include. wu he limited to: Confidential. Secret, fop .S'derei. ug,; Nr> 

Markfifiw 


Sample Fufaetlop 

Expected Result 

- i - - 1 .... 

Enter five records, and assign a different 
classification level to each record. 

Each record includes in its metadata a 

Confidential, Secret, Top Secret, or No Marking 
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classification. 

Criterion 5.4: The system provides a method for assigning the declassification review date. 

Sample Function 

Expected Results 

Indicate date on wbjclUhe records should 
be reviewed unde#IMskufive Order (EO) 
12958. as amended^'-; 

The date or the exemption category that applies to 
this set of records is successfully assigned. 

Criterion 5.5: Authorized users can make changes to the retention period before 

declassification. [Note: Declassification review occurs outside the system.] 

Sample Function 

Expected Result 

Use an authorized user ID to modify the 
retention period for a set of records. 

For the designated set of records, the retention 
period is successfully modified. 

6. Interface with RMA (Export Records) [j 

Criterion 6.1: The system exports records and audit log history to the RMA. 

Sample Function 

Expected Results 

Issue a command to export a declared 
record and its history to the RMA. 

The set of records and audit log history arts; m 

successfully received by the RMA. | 

The system no longer contains the cxpoiie^V^^i'iAij 
records and metadata. 1 

Criterion 6.2: The system exports metadata attached t<> n > i - RMA. 

Sample Function 

lStifewted Results 

Issue command to export the metadata for a 
declared record to the RMA. 

The set of metadata fs successfully received by the 
RMA with the record. 

The system no longer contains the exported set of 
records and metadata. 

Criterion 6.3: The svstem identifies and exports associated (linked) records and maintains 
record relationships. 

Sample Function 

Expected Results AvA?; 

Select a lest record that has associated 
records. Export the record to the RMA, 
indicating, if necessary, the transfer of any 
associated records. 

The known associated records are transferred to 
the RMA. The relationship between the records is 
maintained in the RMA. 

Criterion 6.4: The svstem support-, tin '..•_ "ability to add necessary metadata when records 

are exported. Il§§§§ 
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Metadata file is accessed and missing metadata is 
successfully added. 


The system maintains pointers to exported records (Le., associated records in 
the system are linked to the exported record in the RMA). When a record is 
transferred from one system to another (the RMA), its “location"' changes. 
Any pointers to the record in its old location need to be modified to reflect its 
new location. 

For example, the system may contain past versions of a doenmp'^^tese 
versions may not be records, but documents), and the latest verMWidfs being 
transferred to a new RMA (possibly from a DMA). When a user opens up an ; 
outdated version of the document, the system should indicate that the latest 
version is located in the RMA. 


Sample Functions 


Expected Result(s) 


Issue a command to export a record with Pointers in the system reflect the RMA identifier 
associated records to the RMA. for the ported record. 


Criterion 6.6: Unique identifiers are transf 
system sends the i 
RMA when a ree<; . 


■ * 




Sample Functions 


i«-.^SExpe c ted Result(s) 


Issue a command to export a record from The original system’s correct unique identifier is 
the system to the RMA. In the RMA. check locatpd-in Ihe.mctadata of the record in the RMA. 
the status of the field for the original 
identifier. 
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Appendix E: Records Management Application Metadata List 



System operations must be compared to this list of mandatory recordkeeping metadata elements. 
If an element is not required for the proper documentation and management of records due to the 
nature of system operations, the element should be indicated as “does not apply” during the 
RMAU evaluation of the system. 


Contributor Record ID 


A unique ID. provided by Site Contributing 
system, that identifies a particular record 
within that system. 


Defmltion/DescrJptlons 


Individual Documents 




Unique 

(may be systd»m|i^S^iM) 


An unambiguous system-generated data 
clement that identifies a particular record. 


FBI Case Number 

Identifies the classification, sub-classification 
(alpha), office of origin (GO), and sequential 
case number. 

Serial 

The number assigned to the document within 
the case. 

Document Type 

A code indicating the type of document. 

“TYPE” includes “DOCUMENT,” “EMAIL,” 
“IMAGE.” etc. 

Document Date 

Generally, the date appearing on the face of the 
document. In the case of e-mail, it is the date 
the e-mail was sent. 

To / Addressee 

The recipicnt(s) of the document. 


From,/. Author - Individual 


From / Author - Organization ■<£ 


Title / Subject / Topic of Docut 


Description /1 



The originator of the document. The individual 
who creates, sends, and signs the document. 


The organization to which the originator of the 
document belongs. 


; “name” of the document (e.g., 
n EC or memorandum, the subject 
[y^mail. the title of a report, briefing, 
;et) 


SBSBative description of the record, 
S^sstly contains keywords. 
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I Efenent 

Defii^l ic»«$)escr iptions 

,m, 

National Security Classification 

Identifies the level of United States (U.S.) 
classified information. 

classification reflects thc^^^f^^'sification 
in the document. 

Reason for National Security Classification 

The authoritative sourcca^^r^f^t data is 
classified. For derivative classified records, the 
system must allow the listing of multiple 
authorities. 

Declassification Review Date 

When data is eligible for declassification. 

Declassification Exemption Categories 

Provide the capability for an authorized 
individual to enter or update exemption 
categories in the “Declassify On” field and 
!3a$fo$^fencr a declassification date or event 
the “Declassify On" timeframe. 

Other Restrictions 

^PP§l|$^ecord to which a legislative or 
:3fcgSS5§5?^eslriction has been applied (c.g.. 

Rule 6(e). Freedom of Information Act, or 
litigation matters). 

Record Status 

■3 

-i 

Indicates the distinction between the official 
record, a copy, duplicates, and similar items. 

The default would be “Records.” Generally 
inherited from the file classification or file 
number. 

Records Disposition 

Actions taken with regard to federal records 
after they arc no longer required to conduct 
current agency business. Generally inherited 
from the file classification or file number. Can 
be permanent, disposable, sample/selcct - 
undetermined, sample/select - permanent, 
sample/select - disposable, or unscheduled. 

Selection Criteria 

If the disposition is sample/selcct - permanent, 
this identifies the criteria used to make the 
retention determination. 

Records Schedule Identification 

Identification of the approved disposition 
authority. Generally linkgd.fipin the file 
classification. V'M&iS 
























Element 


vNcummfim' 


Entry Date 

(may be system-generated) 


Electronic 


Policy Guide 


•TJse-JalC the record was entered into the 


system. 


Systems That Import and Manage E-Mail 


Address Name 


E-mail sender; may be mapped to author or 
originator. 


Distribution List 


E-mail addressee; may be mapped to 
addressee(s) or other addressee(s). 


Date/Time of Message Sent 


E-mail date sent; may bcf^|§Pfd as publication 
date. fafysS 


Datc/Timc of MessageJ&gfaved 


E-mail date received; may be mapped to date 
received. 


Scanned Image Format and Version 


Possible formats: 

• Tagged Image Interchange Format (TIFF) 

■o'Wftfeo 

\m$mo 

JlSiM"Photographic Experts Group (JPEG) 
(all versions) 

• Graphic Image Format (GIF) 87a 

• GIF 89a 

• Binary Image Interchange Format (BIIP) 

• Portable Network Graphics (PNG) 1.0 


Allowable versions are current or within two 
past versions. 


Narrative text describing each individual image 
in order to understand and retrieve it. Standard 
caption information typically includes the who, 
what. when, where^ aftd why about the 
photograph. 
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Subject 


E-mail subject may be mapped %.sefeject and 
optionally as title. 




Imported Records 


Portable^p^tnent Format (PDF) Version 


V‘i 


Digital Photograph - Captions 
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Element 


Digital Photograph - Photographer 


Digital Photograph - Copyright 




Identify the full name (rank) and organization 
(agency) of the photographer credited with the 
photograph. 


Indicate for each image whether there is a 
restriction on the use of the image because of a 
copyright or other intellectual property rights. 
The Bureau must provide, if applicable, the 
owner of the copyright and any conditions on 
the use of the photograph(s), such as start and 
end dates of the restrictions. 


Digital Photograph - Bit Depth 


Digital Photograph - Image Size 


Digital Photograph - Image Source 


>igital Photograph - Compression 


Digital Photograph - Exchangeable Image File 
Format (EXIF) Information 


Web Records - File Name 


Identify the bit depth of the transferred files, 


Specify the image height and width of each 
image in pixels. 


Identify the originifW&dium used to capture 
the images. 


Identify the file compression method used and 
the compression level (e.g., medium, high) 
selected for the image(s). 


Provide custom or generic color profiles, if 
available, for the digital camera or scanner 
used (e.g., standard rcd-grccn-blue (sRGBJ). 


Preserve and transfer to NARA the EXIF 

embedded in the header of image 
tags or JPEG markers) by certain 
, ras (e.g.. make and model of the 

•,jpi^.ti|i>^ibra). 

f ill 1 1» * . 

The file name of each Web site file may not 
exceed 99ASCII (American Standard Code for 
Information Interchange) characters, and with 
the path the name if may not exceed 254 ASCII 
characters. 


Web Records - Web Platform 


Include the specific software agpfigaiions and, 
where available, the intended bfQW&tf 
applications and versions. 


b Records - W'eb Site Uniform Resource | Include the starting page of the 
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Element 

Defii^^^Descrlptions 

Locator (URL) 

transferred content. 


Include the name and description of harvester 
used. If PDF. include the software and version 

Web Records - Capture Method 

used to capture the PDF. If more than one 
method is used, clearly identify which content 
was captured by which method. 

Web Records ~ Capture Date 

Date record was captured. 

Web Records - Contact 

Point of contact (POC) information for person 
responsible for capturing the Web record. 
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